port 6667 activity

**waytallgel** · August 4th, 2003, 07:10 PM

hmmm something went wrong when I posted... Oh well, here goes again. So I got a win2k server set up on the internet as a mail server and it patches itself about once a week (ms patches). The other day I notice the traffic has just about doubled. I did a netstat -a to see connections and I see a connection originating from my machine (port 1039 standard, I know) to port 6667 on someone's IP address. So I ran a full scan with NAV and found nothing, then I went and downloaded the cleaner by moosoft and ran that and it picked up nothing. The Cleaner also comes with a component that maps processes to ports and the one above didn't even show up. Then I checked the run keys in the registry and didn't find anything suspicious looking. Anybody have any idea what's goin on I know IRC listens on port 6667 and I saw some stuff on google about people using 6667 for DoS attacks, but I checked a few and looked for the files they said were found on the attacking machines. Alas I found nothing.

Thanks for your help
Greg

**Negative** · August 4th, 2003, 07:16 PM

I deleted all 'previous' posts... heh... now this thread makes sense again

***Shrekkie*** · August 4th, 2003, 09:32 PM

Why don't you give us the ip and we'll have a look .

BTW Negative : Get your roots sorted out and get that Belgian flag back in place

***Tedob1*** · August 4th, 2003, 11:20 PM

do a netstat with no flags and see what irc server

do a search on your computer for mIRC.ini

get fport from foundstone.com and run it from dos. this will map each port to the app using it See what app is using 1029

let us know what you find

***keezel*** · August 4th, 2003, 11:33 PM

The number "6667" definately sets an alarm off in my head....I remember reading about some trojan/worm/somethin-er-other that uses port 6667. I'll look, but I'm posting it just in case it triggers any memories from anyone else. I'll edit the post if I find anything. *goez lookin*

***thehorse13*** · August 4th, 2003, 11:53 PM

If it's not just an IRC server running, it can be *any* of these oldies but goodies:
Dark FTP
ScheduleAgent
SubSeven
DefCon 8
Trinity
WinSatan

Either get your hands on TCPView (my personal favorite process explorer) or as suggested, Fport will do the same thing without the pretty GUI.

You can get TCPView here:
http://www.webattack.com/get/tcpview.shtml

Hope this helps.

--TH13

***Tedob1*** · August 5th, 2003, 12:21 AM

i was going to suggest the pstool kit from systernals.com but its difficult for one to know what prosesses to kill until you see which ones are connecting to the net. usually process listers dont map to port.

the problem is mIRC serve-u and the others aren't trojans so NAV will not pick them up and the names of the exe's are changed so you dont recognize then amoung the processes. They can be installed by worms like muma or the newest one that exploits RPC or installed manually by someone whose broken into your machine

***thehorse13*** · August 5th, 2003, 12:23 AM

usually process listers dont map to port.

Yep, most don't but TCPView is one of the few that does.

***Tedob1*** · August 5th, 2003, 01:28 AM

very cool thehorse13 thanks allot!

if this guy ever replys, we can throw (not through) a ton of stuff on there! :-)

TCPview comes from systernals as well...what a bunch of buds they are

its a gui but at least i can maintain my esoteric aire by calling it from the run box LoL

***thehorse13*** · August 5th, 2003, 01:51 AM

Yeah, I'm hoping that he'll post the output from one of the viewers we have suggested.

Thread: port 6667 activity

Thread Tools

Display

Posting Permissions